Lucene search

GitHub_MCVELIST:CVE-2021-39205

HistorySep 15, 2021 - 5:15 p.m.

CVE-2021-39205 DOM-based XSS/Content Spoofing via Prototype Pollution

2021-09-1517:15:12

CWE-1321

CWE-79

GitHub_M

www.cve.org

jitsi meet

xss

vulnerability

json

update

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

38.2%

JSON

Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.

CNA Affected

[
  {
    "product": "jitsi-meet",
    "vendor": "jitsi",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.0.6173"
      }
    ]
  }
]

References

github.com/jitsi/jitsi-meet/pull/9320

github.com/jitsi/jitsi-meet/pull/9404

github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg

hackerone.com/reports/1214493

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

38.2%

JSON

Related for CVELIST:CVE-2021-39205